2.5 Million Infected: PlugX Malware Network Revealed

Researchers from Sekoia have revealed alarming details about the malicious worm PlugX, which, having been abandoned by its creators many years ago, continues to autonomously spread and infect millions of computers worldwide.

PlugX, believed to be linked to China’s Ministry of State Security, was first detected by experts in 2008. By 2019, it had begun to automatically infect USB drives, which in turn transferred the malware to new systems.

The experts acquired the IP address of the abandoned command server and connected their infrastructure to it to intercept incoming traffic (a process commonly referred to as sinkholing). This allowed them to assess the true scale of the autonomous spread of PlugX. It was discovered that signals from infected devices were received daily from 90-100 thousand unique IP addresses, and over six months, the total number of IPs reached 2.5 million.

Such queries are standard for nearly all types of malware and usually occur at regular intervals ranging from several minutes to several days. Although the number of affected addresses does not show the actual number of infected PCs, the volume of data still indicates that the worm remains active on thousands, possibly millions, of devices.

“We initially thought that we will have a few thousand victims connected to it, as what we can have on our regular sinkholes. However, by setting up a simple web server we saw a continuous flow of HTTP requests varying through the time of the day,” wrote Sekoia researchers Felix Aimé and Charles M.

Interestingly, the highest concentration of infections is observed in countries of strategic military interest and major infrastructure investments for China. The experts are confident that the initial purpose of spreading PlugX was cyber espionage for Beijing. They also write:

“Based on that data, it’s notable that around 15 countries account for over 80% of the total infections. It’s also intriguing to note that the leading infected countries don’t share many similarities, a pattern observed with previous USB worms such as RETADUP which has the highest infection rates in Spanish spelling countries. This suggests the possibility that this worm might have originated from multiple patient zeros in different countries.”

The researchers note that any malicious actor who can control the IP address or interfere with data transmission between the server and the device can easily capture the worm. Thus, the team faced a difficult choice. They could maintain the status quo, not interfering with the situation, or activate PlugX’s built-in self-deactivation function to remotely destroy the code on all computers.

The decision seems obvious. However, the second option also had its risks. Even if all PCs are disinfected, part of the malicious code will remain on flash drives and external disks, from where PlugX will begin its journey anew.

The situation is further complicated by the fact that removing malicious code from connected storage devices risks the loss of users’ data. Ignoring the problem opens the way for a new massive wave of infections across the planet.

Having explored all possible scenarios, Sekoia experts have passed the decision on the fate of PlugX to computer emergency response teams and law enforcement agencies of various countries. Over the next three months, national cybersecurity organizations will be able to use the company’s infrastructure to send commands for deactivation or complete removal of the malicious code.

The delay will allow for a meticulously safe operation to “neutralize” PlugX with minimal losses. Ultimately, each country will have to decide independently whether to destroy the malicious program.